San Bernardino Case May be Over, but Gov Access Issue Will Not Go Away

With recent reports emerging that the US government has dropped its attempts to force Apple into creating a backdoor to the iPhone of San Bernardino gunmen Syed Farook – stating it has now found its own way to access the device – the public would be forgiven for thinking the issue can finally be put to bed.

However, the fact that the Feds have been able to crack the phone without Apple’s help could have interesting ramifications for not only the 12 other Department of Justice (DOJ) demands the tech giant is currently facing but also the wider spectrum of government data access.

Just like in the San Bernardino case, the US government cited the 1789 All Writs Act as the basis for the other dozen requests, with Apple contesting that the aged law should no longer be used by authorities to compel companies to unlock customer data.

Apple’s stance has been clear from the start, stating on several occasions it will take no part in the creation of backdoors which would undermine the security of its users all over the world.

Although it is not clear exactly how the government has been able to crack Farook’s iPhone, there’s no doubt it will come as a blow to Apple who will surely want to know exactly how it’s mechanisms were bypassed so that it can protect other devices, especially those sought by the authorities in the 12 other cases.

However, there is still no official word as to whether the FBI has or will share the exploit with the company, with voices from across the security industry raising concerns over where it could lead if they don’t.

In a blog post on its website Electric Frontier Foundation expressed its pleasure in seeing the DOJ drop what it refers to as a “dangerous and unconstitutional attempt to force Apple to subvert the security of its iOS operating system”, but points out that “any decision to withhold a security vulnerability for intelligence or law enforcement purposes leaves ordinary users at risk from malicious third parties who also may use the vulnerability.”

These are sentiments echoed by Jim Killock, executive director of Open Rights Group, who agrees that if the vulnerability isn’t already known to Apple the FBI should report it to avoid weakening the security of its customers.

"The police and courts need to consider general computer security not just how information can be accessed. Companies should not be forced to weaken products just because there are rare occasions when law enforcement agencies need to get to data," he told Infosecurity.

Exactly what this means for the future of government data access is unclear, but as Steve Lord, co-founder of 44CON and technical director of Mandalorian said, one thing that is now certain is that the government has found a way to access data on Apple products regardless of whether they have a backdoor or not.

“All this proves is that the FBI never really needed Apple to create a backdoor after all; it was simply a matter of convenience for the FBI,” he said. “Hopefully that should provide some consideration for future court cases. Apple is very clearly being used as a testbed, but they have the cash and the will to fight it. It’s clear that the FBI considers user security an obstruction to their goals regardless of any claims of balance, something we shouldn’t forget. Maybe Apple should consider the FBI an obstruction to user security.”

Whilst we may have finally seen the last of the San Bernardino gunmen case, we could be witnessing the beginning of a new era in information security in which authorities have the power to both request access to encrypted data and, should they be denied, take it by force without any repercussions for themselves.